Solved: Why does Splunk start SplunkWeb on Windows during ...

Joffer · ‎07-20-2010

I've got several windows servers which has got Splunk 4.1.3 installed and even though I disable webserver, configure Splunk as a LightForwarder, SplunkWeb keeps starting after the server has booted. If I restart splunk manually it doesn't start again.

splunk disable webserver
splunk enable app SplunkLightForwarder
splunk add forward-server splunk01.mydomain.loc:9997

After a (re)boot:

C:\Users\Joffer>splunk status
Splunkd: Running (pid 1992)
Splunkweb: Running (pid 1160)

If I then manually restart Splunk on the same server:

C:\Users\Joffer>splunk status
Splunkd: Running (pid 1992)
Splunkweb: Running (pid 1160)

C:\Users\Joffer>splunk restart
Splunkweb: Stopping (pid 1160)
Splunkd: Stopped

Splunk> Needle. Haystack. Found.

Checking prerequisites...
        Checking mgmt port [8089]: open
        Checking configuration...  Done.
        Checking index directory...  Done.
        Checking databases...
        Validated databases: _audit, _blocksignature, _internal, _thefishbucket, history, main, splunklogger, summary
All preliminary checks passed.

Starting splunk server daemon (splunkd)...
Splunkd: Starting (pid 1700)
Done.

New check, and as you can see, SplunkWeb isn't running anymore

C:\Users\Joffer>splunk status
Splunkd: Running (pid 1700)
Splunkweb: Stopped

I didn't use to manually disable webserver first since it's supposed to be disabled by Splunk when I enable the LightForwarder.. So why is webserver started?

ftk · ‎07-20-2010

This issue is fixed in the very latest release, 4.1.4. Check out the release notes: http://www.splunk.com/base/Documentation/latest/ReleaseNotes/4.1.4#Unsorted_issues

The issue you are encountering is

Splunk Windows services (both splunkweb and splunkd) are installed by default with Startup Type set to "automatic", which means that if you have deployed light forwarders on Windows and haven't explicitly set Startup Type to "manual", the splunkweb process gets started every time you reboot your forwarders. (SPL-22434)

New installations of 4.1.4 should not have this problem any longer.

On your 4.1.3 servers you can disable the Splunkweb service with the following command run as a member of the Local Administrators group:

sc config start=demand Splunkweb

You can also do this remotely using

sc \\servername config start=demand Splunkweb

View solution in original post

ftk · ‎07-20-2010

This issue is fixed in the very latest release, 4.1.4. Check out the release notes: http://www.splunk.com/base/Documentation/latest/ReleaseNotes/4.1.4#Unsorted_issues

The issue you are encountering is

Splunk Windows services (both splunkweb and splunkd) are installed by default with Startup Type set to "automatic", which means that if you have deployed light forwarders on Windows and haven't explicitly set Startup Type to "manual", the splunkweb process gets started every time you reboot your forwarders. (SPL-22434)

New installations of 4.1.4 should not have this problem any longer.

On your 4.1.3 servers you can disable the Splunkweb service with the following command run as a member of the Local Administrators group:

sc config start=demand Splunkweb

You can also do this remotely using

sc \\servername config start=demand Splunkweb

Joffer · ‎07-22-2010

I did an upgrade from 4.1.3 to 4.1.4 on my Windows 2008 server (none R2). I stopped splunk first, ran the msi file and checked splunk status. It was only running splunkd as the 4.1.3 config was configured to. But, the SplunkWeb service was reset to "automatic" so I did a reboot of the server, and SplunkWeb was back running after a reboot.

"splunk disable webserver" or "splunk enable app SplunkLightForwarder" did not change SplunkWeb startup status, so I still have to set it to disabled or manual in Windows Services GUI..

Joffer · ‎07-22-2010

I can confirm that setting SplunkWeb to Manual (start= "demand") works. SplunkWeb did not start after a reboot.

ftk · ‎07-21-2010

You're right about sc -- sorry wrote this from memory and I usually just switch between disabled and auto. New installations of 4.1.4 should have this issue resolved according to the change log. All my deployment scripts account for this issue being present so they set the service to disabled, haven't tried a manual install yet to verify resolution.

Joffer · ‎07-21-2010

Is it fixed? For me it looks like it's an unresolved issue still?

Your 'sc' command was a bit wrong. The correct (for Manual setting) is:

sc config Splunkweb start= demand

Paolo_Prigione · ‎07-20-2010

I think you'll have to manually stop the splunkweb service (from Start->Run->services.msc) and set its startup setting to either "manual" or "disabled".

Also, double check that splunkd get started with the proper permissions on the folder *$SPLUNK_HOME/var/*: if you start splunk from the CLI the first time and then reboot the system, the "System Local" user might not have the correct privileges to correctly startup splunkd.

This documentation page might help you out: Installation on Windows

Why does Splunk start SplunkWeb on Windows during boot when configured as LightForward?

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life